New ISO 20000-1:2018 Changes, Implementation Steps
Download as PPTX, PDF2 likes2,026 views
The ISO/IEC 20000-1:2018 standard focuses on improving IT service management processes for organizations, enhancing service quality, and promoting compliance through structured management systems. Key changes in the 2018 revision include an alignment with common ISO structural guidelines, the introduction of new requirements in areas like asset and knowledge management, and a reduction in mandatory documented procedures. The transition period for organizations already certified under the previous version extends up to three years, emphasizing the need for training and gap assessments for compliance.
New ISO 20000-1:2018 Changes, Implementation Steps
- 1. WE NEED TO BE SURE ISO/IEC 20000-1:2018 Information Services Management System Presented By: Alfredo Cortes - Regional Sales Manager – SGS
- 2. WE NEED TO BE SURE ISO/IEC 20000 STANDARD…. • The ISO 20000 standard focuses on the integration and implementation of coordinated service management processes. Its aim is to provide ongoing control, greater efficiency and opportunities for continuing improvement. That means working within your organization to align the staff and procedures of your service desk, service support, service delivery and operations team. • The standard aimed at achieving quality assurance in IT service quality consists of two main parts. • ISO 20000-1 - a formal specification that defines the requirements for an organization to deliver managed services of an acceptable quality for customers, against which your compliance can be assessed • ISO 20000-2 - a Code of Practice that describes the best practices for Service Management processes within the scope of ISO 20000-1. The Code of Practice is particularly useful for organizations preparing for an audit against ISO 20000-1 or planning service improvements • ISO 20000 certification demonstrates the reliability and quality of your IT services to employees, stakeholders and customers. • We offer a wide variety of training courses for all levels of ability and awareness including Foundation and Lead Auditor Training programs. • An ISO 20000 certification audit from SGS will help your organization develop and improve performance.
- 3. WE NEED TO BE SURE Revision Update at a glance • The ISO/IEC 20000 standard has been 7 years since the standard it is last being reviewed and revised by ISO/IEC JTC1/SC40. • The new revision was published on September 15th by ISO. • The direction of the changes in ISO/IEC 20000-1:2018 is to expected and aligns with High Level Structure and Common Core Texts and Definitions commonly adopted by the general practices of the other updated ISO management system standards such as ISO 9001:2015 and ISO/IEC 27001:2013.
- 4. WE NEED TO BE SURE Annex SL • Annex SL is a ISO guideline for developing ISO standards • Annex SL harmonizes structure, text and terms and definitions, while leaving the standards developers with the flexibility to integrate their specific technical topics and requirements. • All new ISO management system standards will use Annex SL as the template for their structures. As ISO management system standards come up for revision, they will all be brought in line with Annex SL as well.
- 5. WE NEED TO BE SURE High-Level Structure (HLS) • HLS is a set of 10 clauses that all ISO management system standards are required to use in the future. • This is so that all management system standards will have the same look and feel, and will enable greater integration between systems of different disciplines.
- 6. WE NEED TO BE SURE High-Level Structure (HLS) 1. Scope 2. Normative references 3. Terms and definitions 4. Context of the organization 5. Leadership 6. Planning 7. Support 8. Operation 9. Performance evaluation 10. Improvement
- 7. WE NEED TO BE SURE Common terms and core definitions • Annex SL contains 22 terms and definitions • These must be addressed • cannot be deleted or changed • but can be added to as required by each standard / discipline
- 8. WE NEED TO BE SURE Common terms and core definitions 3.01 Organization 3.12 Process 3.02 Interested party 3.13 Performance 3.03 Requirement 3.14 Outsource 3.04 Management system 3.15 Monitoring 3.05 Top management 3.16 Measurement 3.06 Effectiveness 3.17 Audit 3.07 Policy 3.18 Conformity 3.08 Objective 3.19 Nonconformity 3.09 Risk 3.20 Correction 3.10 Competence 3.21 Corrective action 3.11 Documented information 3.22 Continual improvement
- 9. WE NEED TO BE SURE The key changes made in upgrade version
- 10. WE NEED TO BE SURE Change of terminology and definitions Each standard includes some generic management system terms and definitions in addition with standard specific terms. Currently, ISO 22301, ISO 27001, ISO 9001 and ISO 14001 already include terms and definitions in the standard. To fit with the Annex SL core text and common definitions, some terminology are changed: “service provider” is replaced by “organization” “internal group” is replaced by “internal supplier” while “supplier” is replaced by “external supplier”
- 11. WE NEED TO BE SURE Change of terminology and definitions “information security” has been aligned with ISO/IEC 27000. Subsequently the term “availability” has been replaced by “service availability” to differentiate from the term “availability” which is now used in the revised definition of “information security”.
- 12. WE NEED TO BE SURE Integration with management systems The content of the new ISO/IEC 20000 standard is formatted into new High-level Structure (HLS) structure and introduces some of the new requirements The same structure adopted by other popular management system standards such as ISO/IEC 22301:2012, ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015. ITSM ISMS QMS
- 13. WE NEED TO BE SURE Integration with management systems Clause 5-9 2011 Version Clause 8a 2018 Version The “13 processes” in the IT Service Management model is now spread (with modifications) in Clause 8 of ISO/IEC 20000- 1:2018. This has introduced new common core requirements such as “context of the organization” and “risks and opportunities” are being introduced in the standard as a result.
- 14. WE NEED TO BE SURE Clauses re-arrangement A few clauses which were previously combined together are now separated e.g. Incident and service request, service availability and service continuity, etc. 2011 8.1 Incident and service request management 8.2 Problem management 6.3. Service continuity and availability management 2018 8.6.1 Incident management 8.6.2 Service request management 8.6.3 Problem management 8.7.1 Service availability management 8.7.2 Service continuity management
- 15. WE NEED TO BE SURE More comprehensive view of IT services The concept of service portfolio management throughout the service lifecycle is introduced. The Service Portfolio is the totality of all service records for all services. Each service is listed along with its current status and history. The Service Portfolio might include service pipeline, service catalogue and retired services. Amongst them, only the Service Catalogue is available to the customers.
- 16. WE NEED TO BE SURE Minimised the required documented information The number of required documented procedures is reduced. Documented availability and capacity plans are no longer mandatory and is replaced with requirements to plan service availability and capacity. Configuration management database (CMDB) is replaced with the requirements for configuration information. Release policy is replaced with a requirement to define release types and frequency Continual improvement policy is replaced with a requirement to determine evaluation criteria for opportunities for improvement.
- 17. WE NEED TO BE SURE New requirements Some new requirements are added: Knowledge management Asset management Demand management
- 18. WE NEED TO BE SURE 5.3 Organization roles, responsibilities and authorities ISO/IEC 20000-1:2011 Clause 4.1.4 Management Representative ISO/IEC 20000-1:2018 Clause 5.3 Top management shall assign the responsibility and authority for Ensuring that conformity to standard requirements Reporting the performance of ITSM and services to top management MR is no longer a mandatory role
- 19. WE NEED TO BE SURE 6.1 Address risks and opportunities • ISO/IEC 20000-1:2011 • Clause 6.6.1 • Only focus on information security risk assessment • ISO/IEC 20000-1:2018 • Clause 6.1 • The organization shall determine and document • Risks related to • The organization • Not meeting service requirements • The involvement of other parties in the service lifecycle • Impact • Risk acceptance criteria • Approach to address risks
- 20. WE NEED TO BE SURE ISO/IEC 20000-1:2011 Clause 6.6.1 Information security management – Information security policy – Information security objectives – Determine risks – Risk acceptance criteria – Information security risk assessment – Information security audits ISO/IEC 20000-1:2018 – Clause 8.7.3.1 Information security policy – Clause 6.1 Risks and opportunities » Risks » Impact » Risk acceptance criteria » Approach to address risks – Clause 8.7.1 risks to service availability – Clause 8.7.2 risks to service continuity – Clause 8.7.3.2 Information security risks 8.7.3 Information security management
- 21. WE NEED TO BE SURE 8.2 Service portfolio ISO/IEC 20000-1:2011 Configuration management ISO/IEC 20000-1:2018 Asset management Ensure the assets used to deliver services are managed to meet the service requirements and obligations. Configuration management
- 22. WE NEED TO BE SURE Documented Information ISO/IEC 20000-1:2011 Policy and objectives Service management plan Catalogue of services SLAs Service management processes Document control procedures ISO/IEC 20000-1:2018 Scope Policy and objectives Service management plan Change management policy Information security policy service continuity policy Service requirements Service catalogue(s) SLAs Contracts with suppliers Agreements of suppliers
- 23. WE NEED TO BE SURE ISO/IEC 20000-1:2018 vs. ITIL Service Strategy Strategy Generation Service Portfolio Management Demand Management IT Financial Management Service Design Service Catalogue Management Service Level Management Capacity Management Availability Management Service Continuity Management Information Security Management Supplier Management Service Transition Transition Planning & Support Change Management Service Asset & Configuration Management Release & Deployment Management Service Validation & Testing Evaluation Knowledge Management Service Operation Event Management Incident Management Request Fulfilment Problem Management Access Management Continual Service Improvement Service Measurement Service Reporting Service Improvement
- 24. WE NEED TO BE SURE Transition to ISO/IEC 20000-1:2018 If you are already certified, there will be a 3-year transition period. Sept 2018 Your Transition Assessment Sept 2021
- 25. WE NEED TO BE SURE Tips on preparing a transition plan 1Get yourself familiar with the new document. 2Identify the gap between your existing management system and the new requirements that need to be addressed. 3Initiate an project plan for compliance with the new and changed requirements. 4Provide appropriate training and awareness for all parties involved in the scope of services management system 5Communicate with the certification body about the transition for the new revision.